If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

u3 usb security risks

If anyones been keeping up with the development of u3, a newer usb tech. You have probly heard of the software that is being black hatted that uses these drives to basicaly own a win2k box or greater simply by plugging it in. The open source project which I found quite alarming only requires the u3 usb device to be plugged in and auto discovered and opened to install what ever software has been configured as a payload. No keyboard interaction required, no admin access needed.

I know that turning off auto exec for usb devices will slow the person down, but that just leave the payload to be manually activated, and that disabling usb altogether is the best idea but not always possible. I have only glimpsed at the project and source, but the trend seems to be to hide the payload as a ms update in $winnt-uninstall-kb-blah blah. What I am thinking is that the detection of the installation would have to involve going into add remove programs and actually noting each update. What I would like to know is there a way to automatically pull the update names to a text file? Either from the reg or some other place that I don't know of, so that a batch file could pole the windows updates uninstall folders residing in c:\windows and compare them to the actual updates that have been installed? If its possible then a pretty simple batch script, (or prog lang of your choice) could be used to actually detect the machine has been comprimised and even tell you where the suspect folder is, mabey even pop open any suspect folder for manual inspection. From there it would have to be a standard clean up I guess but since I havent heard of anything that can truely detect the exploit even most of the time.

Any input on the subject is welcome.

-----------------------edit------------------
I might have answered my own question. The c:\windows\WindowsUpdate.log seems to have the info, just need to parse it.

It is all a question of physical security. CD and DVD drives pose the same threat as the USB drive

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Mabey I was a little too drawn out in my first post. What I am trying to do is devise a method of identifing that the machine has been compromised, mabey in a hap hazard fasion. anything will do until Ms releases a patch or until an AV company or the people behind spybot release an update that will detect the machine been bugged. The update log would work for pulling the update names, but I would actually prefer to pull it from the same place that the add remove programs list does, I just dont know where that would be or if it would be at all possible.

The basic concept is to register valid software and warn you if anything new has been added. Winsonar will also block unknown applications whilst you are connected to the net.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?